reference the VMWare IO port

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: reference the VMWare IO port
    namespace: anti-analysis/anti-vm/vm-detection
    authors:
      - matthew.williams@mandiant.com
    scopes:
      static: function
      dynamic: unsupported  # requires mnemonic features
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check - I/O Communication Port [B0009.025]
  features:
    - and:
      - mnemonic: in
      - number: 0x564D5868 = VMXh
      - number: 0x5658 = VX

last edited: 2023-11-24 10:34:28